As noted in #261 (comment), a new version of Microsoft.DiaSymReader hasn't shipped for more than a year and is missing the netstandard2.0 TFM upgrade.
The latest package version on nuget.org brings in NETStandard.Library/1.6.1 which itself transitively brings in the entire .NET Standard 1.6 dependency graph (which is huge). That graph might contains either deprecated or vulnerable packages which we haven't been touched for years.
I noticed this as I looked into a package that depends on Microsoft.DiaSymReader and the reference caused Component Governance warnings.
As noted in #261 (comment), a new version of Microsoft.DiaSymReader hasn't shipped for more than a year and is missing the
netstandard2.0TFM upgrade.The latest package version on nuget.org brings in NETStandard.Library/1.6.1 which itself transitively brings in the entire .NET Standard 1.6 dependency graph (which is huge). That graph might contains either deprecated or vulnerable packages which we haven't been touched for years.
I noticed this as I looked into a package that depends on Microsoft.DiaSymReader and the reference caused Component Governance warnings.